CVSS: 8.2EPSS: 0%CPEs: 3EXPL: 0CVE-2023-38551
https://notcve.org/view.php?id=CVE-2023-38551
31 May 2024 — A CRLF Injection vulnerability in Ivanti Connect Secure (9.x, 22.x) allows an authenticated high-privileged user to inject malicious code on a victim’s browser, thereby leading to cross-site scripting attack. Una vulnerabilidad de inyección CRLF en Ivanti Connect Secure (9.x, 22.x) permite a un usuario autenticado con altos privilegios inyectar código malicioso en el navegador de una víctima, lo que lleva a un ataque de cross-site scripting. • https://forums.ivanti.com/s/article/Security-Advisory-May-2024 •
CVSS: 7.8EPSS: 0%CPEs: 19EXPL: 0CVE-2024-29205
https://notcve.org/view.php?id=CVE-2024-29205
24 Apr 2024 — An Improper Check for Unusual or Exceptional Conditions vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a remote unauthenticated attacker to send specially crafted requests in-order-to cause service disruptions. Una vulnerabilidad de verificación inadecuada de condiciones inusuales o excepcionales en el componente web de Ivanti Connect Secure (9.x, 22.x) e Ivanti Policy Secure (9.x, 22.x) permite a un atacante remoto no autenticado enviar s... • https://forums.ivanti.com/s/article/SA-CVE-2024-21894-Heap-Overflow-CVE-2024-22052-Null-Pointer-Dereference-CVE-2024-22053-Heap-Overflow-and-CVE-2024-22023-XML-entity-expansion-or-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US • CWE-703: Improper Check or Handling of Exceptional Conditions •
CVSS: 10.0EPSS: 0%CPEs: 60EXPL: 0CVE-2024-21894
https://notcve.org/view.php?id=CVE-2024-21894
04 Apr 2024 — A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack. In certain conditions this may lead to execution of arbitrary code Una vulnerabilidad de desbordamiento de montón en el componente IPSec de Ivanti Connect Secure (9.x, 22.x) e Ivanti Policy Secure permite que un usuario malintencionado no autenticado envíe solicitu... • https://forums.ivanti.com/s/article/SA-CVE-2024-21894-Heap-Overflow-CVE-2024-22052-Null-Pointer-Dereference-CVE-2024-22053-Heap-Overflow-and-CVE-2024-22023-XML-entity-expansion-or-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US • CWE-703: Improper Check or Handling of Exceptional Conditions CWE-787: Out-of-bounds Write •
CVSS: 8.5EPSS: 0%CPEs: 60EXPL: 0CVE-2024-22053
https://notcve.org/view.php?id=CVE-2024-22053
04 Apr 2024 — A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack or in certain conditions read contents from memory. Una vulnerabilidad de desbordamiento de montón en el componente IPSec de Ivanti Connect Secure (9.x 22.x) e Ivanti Policy Secure permite que un usuario malintencionado no autenticado envíe solicitudes especialmente ... • https://forums.ivanti.com/s/article/New-CVE-2024-21894-Heap-Overflow-CVE-2024-22052-Null-Pointer-Dereference-CVE-2024-22053-Heap-Overflow-and-CVE-2024-22023-XML-entity-expansion-or-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US • CWE-703: Improper Check or Handling of Exceptional Conditions CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 60EXPL: 0CVE-2024-22052
https://notcve.org/view.php?id=CVE-2024-22052
04 Apr 2024 — A null pointer dereference vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack Una vulnerabilidad de desreferencia de puntero nulo en el componente IPSec de Ivanti Connect Secure (9.x, 22.x) e Ivanti Policy Secure permite que un usuario malintencionado no autenticado envíe solicitudes especialmente manipuladas para bloquear el servi... • https://forums.ivanti.com/s/article/New-CVE-2024-21894-Heap-Overflow-CVE-2024-22052-Null-Pointer-Dereference-CVE-2024-22053-Heap-Overflow-and-CVE-2024-22023-XML-entity-expansion-or-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US • CWE-476: NULL Pointer Dereference CWE-703: Improper Check or Handling of Exceptional Conditions •
CVSS: 5.3EPSS: 0%CPEs: 60EXPL: 0CVE-2024-22023
https://notcve.org/view.php?id=CVE-2024-22023
04 Apr 2024 — An XML entity expansion or XEE vulnerability in SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated attacker to send specially crafted XML requests in-order-to temporarily cause resource exhaustion thereby resulting in a limited-time DoS. Una expansión de entidad XML o vulnerabilidad XEE en el componente SAML de Ivanti Connect Secure (9.x, 22.x) e Ivanti Policy Secure permite que un atacante no autenticado envíe solicitudes XML especialmente manipuladas par... • https://forums.ivanti.com/s/article/New-CVE-2024-21894-Heap-Overflow-CVE-2024-22052-Null-Pointer-Dereference-CVE-2024-22053-Heap-Overflow-and-CVE-2024-22023-XML-entity-expansion-or-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US • CWE-476: NULL Pointer Dereference CWE-703: Improper Check or Handling of Exceptional Conditions •
CVSS: 8.3EPSS: 1%CPEs: 8EXPL: 1CVE-2024-22024
https://notcve.org/view.php?id=CVE-2024-22024
13 Feb 2024 — An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication. Una entidad externa XML o vulnerabilidad XXE en el componente SAML de Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) y puertas de enlace ZTA que permite a un atacante acceder a ciertos recursos restringidos sin autenticación. • https://github.com/0dteam/CVE-2024-22024 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 8.5EPSS: 95%CPEs: 107EXPL: 3CVE-2024-21893 – Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability
https://notcve.org/view.php?id=CVE-2024-21893
31 Jan 2024 — A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication. Una vulnerabilidad de server-side request forgery en el componente SAML de Ivanti Connect Secure (9.x, 22.x) e Ivanti Policy Secure (9.x, 22.x) e Ivanti Neurons for ZTA permite a un atacante acceder a ciertos recursos restringidos sin autenticación. Ivanti Connec... • https://packetstorm.news/files/id/177229 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.0EPSS: 0%CPEs: 106EXPL: 0CVE-2024-21888
https://notcve.org/view.php?id=CVE-2024-21888
31 Jan 2024 — A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator. Una vulnerabilidad de escalada de privilegios en el componente web de Ivanti Connect Secure (9.x, 22.x) e Ivanti Policy Secure (9.x, 22.x) permite a un usuario elevar privilegios a los de administrador. • https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US •
CVSS: 9.1EPSS: 97%CPEs: 81EXPL: 13CVE-2024-21887 – Ivanti Connect Secure and Policy Secure Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2024-21887
12 Jan 2024 — A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. Una vulnerabilidad de inyección de comandos en componentes web de Ivanti Connect Secure (9.x, 22.x) e Ivanti Policy Secure (9.x, 22.x) permite a un administrador autenticado enviar solicitudes especialmente manipuladas y ejecutar comandos arbitrarios en el disposi... • https://packetstorm.news/files/id/176668 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •